How to mask a URL in a Splunk alert email body

rashi83 · ‎11-18-2019

I am providing a search string in an alert email body.
I want to mask this search string instead of showing the contents of it.

How can we do it?

to4kawa · ‎11-18-2019

index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx 
| eval gb=round(vol/1073741824,2)
| where gb>=0.3
| eval your_desire_url="https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=".$idx$."&form.hst=*&form.ste=*&form.sc=*&form.index=*"

$result.your_desire_url$ in email body

rashi83 · ‎11-18-2019

I am still getting the entire URL in the email .

This is still coming in email - https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

to4kawa · ‎11-19-2019

$result.your_desire_url$ works fine.
but $idx$ does not work.
Is there any problem with the eval result of a normal search?

to4kawa · ‎11-18-2019

Email notification
Hi, Uncheck Search String

rashi83 · ‎11-18-2019

this doesn't solve the problem. Now the search string is just coming as "

to4kawa · ‎11-18-2019

Please provide an example of the email text.

rashi83 · ‎11-18-2019

This is my alert search string : index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=0.3

This I want it in email body : The alert condition for '$name$' was triggered.

https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

Last URL I want to mask it and call it as Splunk Index or something instead of showing its contents.

How to mask a URL in a Splunk alert email body

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!